[PLUG] Untrusted web sites

Dan Young danielmyoung at gmail.com
Thu Dec 2 20:52:24 UTC 2010


On Thu, Dec 2, 2010 at 9:23 AM, Randal L. Schwartz
<merlyn at stonehenge.com> wrote:
>>>>>> "John" == John Jason Jordan <johnxj at comcast.net> writes:
>
> John> Ever since upgrading from Fedora 13 to Fedora 14 Firefox is complaining
> John> several times a day about expired and untrusted certificates. Just now
> John> I had one from the website for the Department of Defense Manpower Data
> John> Center:
>
> John> www.dmdc.osd.mil/scra/owa/home
>
> After the redirect to https://www.dmdc.osd.mil/appj/scra/scraHome.do I
> get good certificates on OSX for Safari and Chrome (both probably using
> the built-in OSX security validation), but Firefox screams about it.
>
> Weird... Firefox must come with its own certs.  Firefox is definitely
> *not* a "native app" on OSX, so no surprise that it's also broken on
> OSX. :)

https://www.dmdc.osd.mil is signed by DOD CA-21, chained to DoD Root CA 2:

dyoung$ openssl s_client -connect www.dmdc.osd.mil:443 | head
depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 2
verify error:num=19:self signed certificate in certificate chain
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=OSD/CN=www.dmdc.osd.mil
   i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-21
 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-21
   i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
   i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
---

Firefox (really, NSS) does not include any DOD CA root certificates:
http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt

-- 
Dan Young



More information about the PLUG mailing list